Backing a Managed Card with Alternate Credentials

When a Managed Card is used, the user must authenticate to the identity provider (IP), in order to get a token.  The choices of authentication type are username/password, Kerberos, X509 certificate or a Self-Issued card.  Each authentication type offers its own advantages and disadvantages. 

·       Usernames and passwords are easy to deploy, and users are familiar with them, but because they employ shared secrets they are also subject to social engineering attacks.

·       Kerberos is great if your users are at work and using a card to access a federation partner’s site or web service, or accessing internal services that run on other platforms and usually can’t leverage their Windows identity.   Since the user doesn’t need to enter extra credential info when they use the card, it requires little user interaction.  The downside of Kerberos is that it doesn’t work well for many usage scenarios, such as when the user isn’t at work.

·       X509 certificate backed cards can offer strong security, so are a good choice in high value scenarios.  However the scenario needs to be of high enough value to justify the distributing and managing soft certificates or smart cards.

·      Self-issued backed cards offer a streamlined experience since using them doesn’t require extra user interaction (though the user can choose to PIN protect their self-issued card).  Of course, the self-issued card is stored on the machines it is used on, so it is probably not a good idea to use self-issued cards on a less trustworthy machine. (Does your friend really run an up-to-date virus scanner on his/her home machine?)

Those are the choices for picking a single authentication method.  But what about cases where it could be useful to have a single card that can support different authentication methods?  An example scenario is one where a user has a card on her laptop, which when she is at work and uses Kerberos, and when she is not at work uses X509 (or some other authentication method).

Specifying alternate authentication methods is fairly straightforward  – at least as straightforward as a single authentication method.  Alternate authentication methods are specified by including multiple <TokenService> elements in the Managed Card (.crd) file, were each token service can use a different authentication method.  Details of this can be found the Identity Selector Interoperability Profile (Section 4.1.1.2).

 It is important to note that the Token Services appear in decreasing order of preference. CardSpace uses this order to determine the sequence with which it will attempt to use the token services.  CardSpace will first try to retrieve the policy using the metadata location URL from the first token service endpoint in the .crd file.  If policy cannot be retrieved from the metadata location, or if the policy does not contain an entry for the specified token service, CardSpace will fail over to the next token service defined in the .crd file.

<ic:TokenServiceList>

  <ic:TokenService>

    <EndpointReference >

      <Address>http://contoso.com/kerb/sts</Address>

      <Metadata>

        <Metadata>

          <wsx:MetadataSection>

            <wsx:MetadataReference>

              <Address>https://contoso.com/kerb/sts/Mex</Address>

            </wsx:MetadataReference>

          </wsx:MetadataSection>

        </Metadata>

      </Metadata>

    </EndpointReference>

    <ic:UserCredential>

      <ic:KerberosV5Credential/>

    </ic:UserCredential>

  </ic:TokenService>

  <ic:TokenService>

    <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">

      <Address>https://fabrikam.com/X509/sts</Address>

      <Metadata>

        <Metadata>

          <wsx:MetadataSection Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns="">

            <wsx:MetadataReference>

              <Address>https://fabrikam.com/STS/mex</Address>

            </wsx:MetadataReference>

          </wsx:MetadataSection>

        </Metadata>

      </Metadata>

    </EndpointReference>

    <ic:UserCredential>

      <ic:X509V3Credential>

        <ds:X509Data>

          <wsse:KeyIdentifier

            ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1"

            EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

              OdiGsVrqbay3mn6BAjiHontnV1U=

            </wsse:KeyIdentifier>

        </ds:X509Data>

        </ic:X509V3Credential>

        </ic:UserCredential>

  </ic:TokenService>

(Figure 1)

 

CardSpace follows this same algorithm for each endpoint: first connect to the metadata endpoint, then retrieve policy for the specific token service endpoint.

For an example, suppose the metadata endpoint for the first service shown in Figure 1 is unavailable, and the metadata endpoint for the second token service does not contain policy for the STS endpoint.  In that case, CardSpace will first try to retrieve the policy from the metadata location https://contoso.com/kerb/sts/Mex.  Since that URL is unavailable, CardSpace will fail over to the next TokenService element, and retrieve the policy from https://fabrikam.com/STS/mex. However, since in this example, policy is returned, but does not contain information for the token service endpoint https://fabrikam.com/X509/sts, CardSpace will move to the next TokenService.  This process continues until the policy is successfully retrieved for a token service, or there are no more token services to try.  If the policy is retrieved for a token service, but the token service is not available, no fail-over occurs, at which point CardSpace will show an error to the user.

Now back to the example using Kerberos at work and X509 from home.  This can be accomplished with CardSpace by specifying two token services in the .crd file.  The first of the endpoints uses Kerberos authentication.  The metadata endpoint for the Kerberos token service can be made available only from a machine using the corporate network.  Fail over to the x509 endpoint will then occur when the user is not at work.

Let me know if there are questions or comments on how this works.  Hopefully this is useful for some more advanced Managed Card scenarios.  To learn more I recommend reading the Identity Selector Interoperability Profile, as well as chapter 3 of ‘Understanding Windows CardSpace’ .  In the spirit of full disclosure, I’m co-author on the book so have been hesitant to self promote, but I’m mentioning it here as I really think it is relevant, and sincerely hope others find it useful.

Thanks,

Caleb

CardSpace Certificate Chain Validation Issue with Intermediate Certificates

One problem with the original version of CardSpace was that it seemed to reject some legitimate SSL sites, but like all tricky bugs, it didn’t happen consistently enough to be caught in the first release. What was going on was that sometimes CardSpace couldn’t validate the intermediate certificates in the certificate chain because of a disconnect with the browser’s certificate store.

If intermediate certificates aren’t installed on a user’s computer, most browsers use the certificate obtained from the site to reconstruct the whole chain and show the user they are at an SSL site. CardSpace, as it turns out, was not able to get the missing certificates.

Since, this bug could make a legitimate site appear to be fraudulent in CardSpace and because the behavior is intermittent, it might be missed by a web developer adding support for Information Cards to their site.

We asked the IE team and the maintainers of the browser add-on for Firefox to enable CardSpace to retrieve the correct certificate, and they did. The update to IE was included in the October 2007 IE Security Update and the updated Firefox add-on can be downloaded here (thanks Axel!). Implementers of other Identity Selectors should consider whether this issue is present in their code as well. I’ll hand off now to Shan to explain more details about the problem and the fix.

Rob Franco
Lead Program Manager

CardSpace

========

Introduction – How the recipient certificate & its intermediates are retrieved by the browser

When a client navigates to a (https) site in a browser, there is a SSL handshake by the browser with the site. This handshake involves the client receiving the

• certificate of the site, and
• any intermediate certificates, if any, that are part of the recipient certificate’s issuer chain.

The intermediate certificates (if any) are necessary to build the certificate chain  to a trusted root CA for purposes of certificate validation.

Note that CardSpace does an independent validation of the recipient certificate, in addition to the browser.

Why CardSpace certificate validation in .NET 3.0 would fail when intermediate certificates are not present on the client machine

When CardSpace was being invoked by the browser, the intermediate certificates received during the browser SSL handshake were not passed to CardSpace. Only the leaf certificate was passed in. Since the intermediate certificates were not passed in (and CardSpace did not have a mechanism to receive them), the only way for the chain to be built (and validated) successfully by CardSpace was if the intermediates were already present in the local Intermediate certificate store.

Therefore, when intermediate certificates were NOT present on the client machine, CardSpace validation of the recipient certificate would fail even though the site actually chained up to a trusted CA (and showed up fine within the browser).

A possible workaround for this issue

A potential workaround for this problem is to have relying parties certificates utilize the Authority Information Access (AIA) extension (with accesMethod=cAIssuers). This extension, added by CAs in the issued certificates, allows certificate verifiers to retrieve the issuing certificates when intermediate certificates are not present in the verification environment.

However, it may not be judicious to overly depend on the AIA infrastructure as a workaround for this issue. This is because CAs may not choose to include this extension. In addition, it is often unreliable, especially with enterprise CAs.  For example, the URL specified in the AIA extension might be invalid or unreachable.

How have we fixed this issue in the .NET Framework 3.0 SP1 version of CardSpace

The CardSpace team has made a fix in the .NET Framework 3.0 SP1 (which ships as part of .NET 3.5) to address this issue. This change enables the Internet Explorer module (or other browser add-ons) to pass the intermediate certificates that were retrieved during the SSL handshake into CardSpace. These intermediate certificates are then used by CardSpace for chain building and validation. 

To accomplish this fix, we have added a new version of the recipient-policy struct, namely RECIPIENTPOLICY2 to the updated version of CardSpace API “GetBrowserToken”. The old version of the struct, RECIPIENTPOLICY, which only passes the leaf certificate information, should be considered deprecated.

At the same time, the Internet Explorer (IE) module that communicates with CardSpace to pass certificate information from the browser to CardSpace has been updated to provide the complete certificate chain to CardSpace. This update comes in the October 2007 IE Security Update.

Other Information Card browser add-ons written to invoke CardSpace should also be updated to take advantage of this fix.

Some notes for sites using CardSpace

If you are using CardSpace, you do not have to worry about this issue, assuming your clients will be running the .NET Framework 3.5 AND have the latest IE updates (if they are running IE) or have a version of the Firefox add-on that takes advantage of the fix.

You can check for the right version of CardSpace by checking the user agent string for the following token:

Updated CardSpace (.Net 3.5) = “.NET CLR 3.5.21022”

Details of the fix for browser add-on developers written to invoke CardSpace

(If you are simply a site using CardSpace, then the below section on how to invoke the GetBrowserToken API with the new structures does NOT apply to you)
As mentioned previously, we have added a new version of the recipient-policy struct, namely RECIPIENTPOLICY2 to the updated version of CardSpace API “GetBrowserToken”:

HRESULT

CARDSPACECALL GetBrowserToken(

__in DWORD dwParamType,

__in PVOID pParam,

__out_opt DWORD* pcbToken,

__out_bcount_opt(*pcbToken) PBYTE* ppToken );

This function is currently documented in MSDN: http://msdn2.microsoft.com/en-us/library/aa702769.aspx ) though it has not yet been updated with the .NET 3.5 changes.

To utilize the intermediate certificate fix in .NET 3.5, i.e. to invoke CardSpace passing in the intermediate certificates of the recipient, you would invoke the API in this following way:

• dwParamType should be set to value RECIPIENTPOLICYV2 (which is really value 2)
• pParam should point to a RECIPIENTPOLICY2 structure (see below)
  • For the ENDPOINTADDRESS2,
    • DWORD identityType should be set to 2
    • PVOID identityBytes should be set to a CERTIFICATE_CHAIN_BLOB
      • DATA_BLOB rawCertificates should contain (see struct definition from wincrypt.h below)
        • Count of certificates
        • Bytes of each certificate of the certificate chain retrieved by invoking CertSerializeCertificateStoreElement (which retrieves the bytes of each certificate in the chain in DER encoded form)
        • Note that the recipient certificate is assumed to be the 0^th (zeroth) element of this array, followed by its issuer at index 1 (one) etc., followed by the issuer of the issuer at index 2 (two) and so on.

When invoking CardSpace in the no-SSL case, the identityBytes pointer in the ENDPOINTADDRESS2 structure should be NULL.

typedef struct _RECIPIENTPOLICY2

{

ENDPOINTADDRESS2 ^recipient;

ENDPOINTADDRESS2 issuer;

LPCWSTR tokenType;

CLAIMLIST requiredClaims;

CLAIMLIST optionalClaims;

LPCWSTR privacyUrl;

UINT privacyVersion;

}RECIPIENTPOLICY2, *PRECIPIENTPOLICY2;

typedef struct _ENDPOINTADDRESS2

{

LPCWSTR serviceUrl;

LPCWSTR policyUrl;

DWORD identityType;

PVOID identityBytes;

}ENDPOINTADDRESS2, *PENDPOINTADDRESS2;

typedef struct _CERTIFICATE_CHAIN_BLOB

{

DWORD certCount;

DATA_BLOB* rawCertificates;

}CERTIFICATE_CHAIN_BLOB, *PCERTIFICATE_CHAIN_BLOB;

typedef struct _CRYPTOAPI_BLOB {

DWORD cbData;

BYTE *pbData;

} DATA_BLOB, *PDATA_BLOB,

NOTE: If your clients do not have the have the updated (.NET 3.5) CardSpace bits, then calling the "GetBrowserToken" API with the new RECIPENTPOLICY2 struct would yield E_INVALIDARG for HRESULT. Therefore if you are a browser add-on developer and do not intend to break .NET 3.0 clients then you would check whether .NET 3.5 is installed before invoking the API with the new RECIPENTPOLICY2 struct.

You can do this by checking for the presence of this key:

[HKEY_LOCAL_MACHINE\Software\ Microsoft\NET Framework Setup\NDP\v3.5]

"Install"=dword:00000001"

If the key does not exist then you would resort to using the original RECIPENTPOLICY struct.

---------------------------------------------------------------------------------------------------------------

We hope this fix helps you keep CardSpace running problem free with your sites!

Sudarshan [Shan] Sundar

Software Development Engineer,

CardSpace Team

What happens when applications don’t get along with CardSpace

 

It has come to our attention on the Windows CardSpace team that occasionally there are compatibility issues between CardSpace and other applications.  One cause of issue is our use of a private desktop.  While the private desktop can not be accessed by programs running as the user; a program can switch to the user desktop so that the user can no longer access the CardSpace UI.  The goal of this post is to give you the necessary information to diagnose when an application is conflicting with CardSpace, and provide as much guidance as possible in how to resolve the situation.

What if CardSpace fails when launched?

 

Let’s say you try and invoke CardSpace by double clicking the “Windows CardSpace” icon in the control panel.  If you were to see nothing happen at all, see a flash of the private desktop, or maybe if you see a couple seconds of the private desktop before you are switched  back to the user desktop; you may think to yourself, “Whoa!  What happened?”.   If you try to invoke CardSpace again you might get this message:

 

Since the message asked politely, you go and look at the “Application” Event Log and check the latest entry for CardSpace.  Even if you’re not asked, it’s a good idea to look in the event log if you’re having issues. Let’s suppose you see this:

 

This message indicates that CardSpace is still open.  If the UI had closed during the first failed attempt, then it wouldn’t have been too busy to start the second time.  This means that CardSpace is likely still running, and you just can’t see the UI.  You should check the task manager for the two entries I have circled below: 

 

These two entries prove that CardSpace did not crash; the CardSpace UI was simply hidden when you were switched away from the private desktop.  The error message appears after the second launch attempt due to the fact that the CardSpace service is still running, and can’t start a second instance.

 

How do I find out which process is causing the problem?

 

Unfortuntely, up to this point, you probably don’t know which process could be causing the distress.  Here comes the hard part.  In order to find who may be switching you back to the user desktop  it may be necessary to kill every non-essential process, then re-introduce them one at a time to pinpoint the exact culprit.  Sites like http://www.processlibrary.com/ provide a quick way to lookup processes to ascertain if they are critical to the operation of your system.  It may also be helpful to check the CardSpace MSDN forums for applications that have been noticed to cause issues.

Anti-virus suites, password managers, and other security application are all candidates for application incompatibility.  These can be a problem when they injudiciously disallow private desktops resulting in CardSpace being collateral damage.

As of now, once the interfering application is found, the only way to regain CardSpace functionality is to ensure that said application is not running when you use CardSpace.  However, if you encounter a problem please let us know on the forum so that we can investigate and follow up where we can.

What now?

 

I am well aware that application incompatibility is a pain.  In an ideal world CardSpace would always work regardless of what applications are installed on your machine.  Unfortunately in computing, programs sometimes have competing interests and compatibility issues cannot always be avoided.  I can assure you that application compatibility, as it pertains to overall CardSpace usability, will always be considered in future releases, as will our commitment to a high level of security.

 

You may have noticed I didn’t mention anything about browser plug-ins.  If you can start CardSpace from the Control Panel, but cannot invoke it from the browser, it is possible that a plug-in is the culprit.  I view this as a completely separate issue, since the root cause is significantly different.  I will post a separate entry on plug-ins in the near future.

 

Thanks,

Brian Houck

SDET – Windows CardSpace

 

 

Posted by CardSpaceBlog | 2 Comments

Filed under: CardSpace

About Relying Party STSs (a.k.a, what is RequireFederatedIdentityProvisioning?)

A useful, yet sparsely documented feature of Windows CardSpace is its support for resource side Security Token Services (STSs) – STSs that are used by relying parties rather than Identity Providers. Vittorio has done an excellent job helping to provide detail on this subject, and I highly recommend people interested in understanding more about what resource STSs are and why they are useful, read his post. In this post I want to fill out some of the technical details. That said, I'll start with a short introduction to the subject with an example I’ve found particularly helpful.

The canonical CardSpace scenario has a relying party (RP), usually a website, which requires a token from an identity provider (IP). The user selects a card in CardSpace. CardSpace then requests a token from the corresponding identity provider. A token is returned to the CardSpace client, which then sends it to the relying party. Figure 1 shows the RP site, and the IP STS the RP has a relationship with. In the following figures, the line connecting IPs and RPs indicates where explicit relationships exist.

Figure 1

Now, part of the flexibility of CardSpace and the Identity Metasystem, is that it is trivial for an RP to set up new relationships with multiple IPs, as shown in figure 2.

Figure 2

What’s interesting about the case with one RP and multiple IP’s is that the RP site maintains the logic about how to authenticate the various IPs, and potentially has logic to understand the different claims the IPs release (for example one IP could release the claims ‘first name’ and ‘last name’, and another ‘full name’. The RP needs to know how to normalize these into values it understands). Additionally, if the different IPs creates tokens in different formats, the RP needs to know how to understand each of these formats.

This is fine, and a good way for an RP to be able to work with multiple IPs. Now say the RP is part of an organization that needs publish more than one website or web services. Each site needs to duplicate the logic for understanding how to communicate with multiple IPs (show in figure 3)

Figure 3

Clearly for RPs with many sites and many partners, this can become unwieldy. It can be a lot of relationships that need to be maintained in multiple locations. A standard solution to this complexity is for the RP to also run an STS. The relying party’s STS maintains all of the logic around communication with the various IPs, and produces a consistent token format. The other RP sites can then request a token from the RP STS, and only need be able to process this token (figure 4).

Figure 4

RP STSs are not for everyone, but can be a big simplification for complex deployments.

STSs are just specialized web services, so expose policy about how to connect to them, including security requirements. The security requirements may state that issued token is required from another RP STS; this can create a chain of STSs. In the browser scenarios CardSpace automatically follows the RP STS chain, contacting the correct STSs, resolving their policy and continuing to the next STS. In the case of a Windows Communication Foundation (WCF) application, the policy chain can be resolved from a configuration file, but CardSpace itself doesn’t resolve the policy chain (the underlying difference here is a call to CardSpace’s GetBrowserToken() API or GetToken() APIs).

Figure 5

The policy chain can be longer than just a single RP STS, as shown in Figure 5. In this example, the RP Site would specify the requirements of the token it requires from RP STS 1; this would include required claims, STS endpoint URL, and STS metadata exchange policy (MEX) endpoint. Similarly, RP STS 1; would specify the requirements of the token it requires from RP STS 2. RP STS 2 would then specify the requirements for the token it needs. Since the token comes from an IP STS, the only required information is a least one required claim; the details about how to the IP STS can be retrieved from the card the user selects. However, RP STS 2 may also specify an issuer, so only cards from the desired issuer are user selectable.

Of course, the more STSs in the chain, the more processing time is required to request all of the tokens. This delay will be noticed as CardSpace starts (chasing the policy chain) and when it closes (retrieving the tokens). During these delays, the user sees the CardSpace progress page (figure 6).

Figure 6

To get CardSpace to follow an STS chain, it needs to be given the STS endpoint and MEX policy endpoint of the RP STS, as well as the claims that are being requested from the RP STS. This can be done from a web site by using the x-informationCard object tag. The issuer param is used to specify the STS endpoint, issuerPolicy specifies the MEX policy endpoint.

CardSpace will retrieve the policy from the issuerPolicy URL. Since a MEX policy can define policy for multiple STSs, the issuer URL must match one. The policy for the RP STS is then used to decide what to do next. If it is an IssuedToken request that can be satisfied by a self issued or managed card, CardSpace shows the user her cards, and the usual user interaction begins. One interesting point to note; the policy from the RP STS, not the RP site, is used for card selection. This makes sense, because the token returned by the IP STS must satisfy the RP STS requirements and the token from the RP STS satisfies the requirements of the RP website.

The steps in a CardSpace interaction with an RP website, RP STS and IP STS, are listed below, and shown in figure 7.

1) The user goes to the RP website

2) Token requirements are returned via the x-informationCard object tag

3) CardSpace queries for policy from the RP STS

4) Policy is returned from the RP STS

5) The user selects a card that matches the RP STS policy

6) CardSpace makes a request for a token from the IP STS (RST)

7) The token is returned from the IP STS to CardSpace (RSTR)

8) Using the token from the IP STS, makes a request for a token from the RP STS (RST)

9) A token is returned to CardSpace (RSTR)

10) CardSpace returns the token to the site

Figure 7

For an example that you can try, check out the age sts at Identity Lab. The page requests the claim ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/age’ (this is just a made up claim URI and not defined anywhere) from an RP STS; that is, the age STS. The age STS requests a self-issued card with the claim ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/DateOfBirth’. When a user goes to the page, she needs to submit a self-issued card, which contains a ‘Date of Birth’ claim. This is sent to the age STS, which calculates age and creates a new token, which is returned to the web site. The web site then shows the claim values it has received, in this case, the age. In this scenario, the age STS is playing the role of a claim transformer, as described in the Identity Metasystem.

As previously stated, the RP STS’s policy is used for card matching. Similarly, if the RP STS requests a PPID, it is the RP STS certificate that is used for calculating the PPID, not the certificate of the RP site. This is so a single RP STS can service multiple sites, but always gets the same PPID for a given user from CardSpace.

The certificate information CardSpace shows the user is that of the RP site, even though the policy is used from the RP STS. This may seem somewhat contradictory, however since the RP site is truly the site the user is visiting; the user needs to make a trust decision about it. If the site chooses to use a RP STS, this is more an implementation detail, and by choosing to trust the RP site, the user indirectly trusts the services that site chooses to use.

In addition to the RP site cert getting shown in CardSpace, it is also used to track card usage history. So if a card is used at two different RP sites that rely on the same RP STS, two separate entries will be created in the card history.

The astute reader may notice I’ve only handled cases where the RP site and RP STS have a certificate, and may wonder what would happen if the RP web site uses HTTP, which now works with CardSpace. The answer is the RP site and RP STS must both have certificates. The support of HTTP only sites was made to help smaller sites that may not have much in the way of security requirements, but still want to use CardSpace. However, the RP STS support is targeted at sites and organizations which have more complex scenarios, for whom the procuring a certificate and using HTTPS for additional security is likely to already be a security requirement.

For the actual STS endpoints HTTPS (transport) is not required, however the binding the STS uses must have a certificate. This could be provided by transport or message security. The examples in this post use message security for the STS endpoints, which is why the STS URLs start with HTTP, yet they still have certificates associated with them.

Ok, now for a quick quiz.

Say there is an RP website that contains the below object tag.

And the policy at the MEX endpoint, ‘https://ipsts.federatedidentity.net/sts.svc/mex’, declares a requirement for a token with the issuer ‘http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self’ and claim ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname’ and ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname’. That is, the STS is requesting a token from a self-issued card that contains a first and last name.

How is the resulting flow best described?

a) The website is requesting a token from an RP STS. The RP STS is requesting a token from a self-issued card. So the user will see CardSpace UI open and will get to pick which self-issued card to use. The self-issued token is then sent to the RP STS, which generates a token that is sent to the RP web site.

b) The website is requesting a token from an IP STS. CardSpace opens and the user selects the managed card whose issuer is ‘http://ipsts.federatedidentity.net/sts.svc’. Authentication to the IP STS is done with a self-issued card, so on selection of the managed card CardSpace automatically sends the token generated by the correct self-issued card to the IP STS. The token from the IP STS is then sent to the RP site.

c) Not enough information.

This really was kind of a trick question. The right answer is c) not enough information. It may be tempting to say a) since a MEX endpoint is defined in the object tag. However, IP STSs have MEX endpoints as well, it just isn’t necessary to include them in the object tag for IP STSs, since the MEX endpoint is also defined in the managed card. So the presence of a MEX endpoint in the object tag is only required when using an RP STS, but does not guarantee that an RP STS is being referred to. If you think about it, it would seem strange for the RP site to be the one dictating if the next STS in the chain is an IP STS or RP STS; that decision should authoritatively be made and expressed by the STS itself. Still, it is probably good practice not to specify the MEX endpoint (issuerPolicy) for an IP STS, since the MEX call will need to be made again anyway when the managed card is used, and just calling once will be faster. Also, not including the MEX endpoint makes it so the RP site won’t be affected if the MEX URL changes for any reason.

That leaves the obvious question. If there wasn’t enough information, what other information is needed? The answer lies in the MEX policy of the STS. If it is an IP STS, it will have the element <ic:RequireFederatedIdentityProvisioning xmlns:ic=”http://schemas.xmlsoap.org/ws/2005/05/identity” /> in its policy. The following description of RequireFederatiedIdentityProvisioning appears in Identity Selector Interoperability Profile V1.0

This element indicates a requirement that one or more information cards, representing identities that can be federated, must be pre-provisioned before token requests can be made to the identity provider.

In other words, the element is placed at federation boundaries. When crossing a trust boundary it makes sense that a user interaction may occur, and cards are great way for the user to be involved. Back in figure 4, the box drawn with the dashed line represents a trust boundary around the RP. All sites and STSs in the boundary often don’t require user interaction when communicating with each other, since all tokens passed around are within an organization. Also since it is between parties in the same organization, there should not be any privacy concerns. However, as soon as the boundary is hit, as in the case of federation, it makes sense for the user to be prompted. Note, in most cases this boundary will be between organizations, but it could even be in an organization if the information being passed is not already freely shared between the group running the RP STS and RP site.

This element was described in a fairly straightforward scenario, but it is actually required to resolve ambiguities in many cases, such as in the case that a web service is accessed by an application using the WCF stack, the stack needs to have a way to know if CardSpace should be invoked. The credential required to authenticate to the final STS in a chain can be collected in other ways than just CardSpace, such as when the credentials of the currently logged in user are used, or the user is prompted directly for username and password through some custom application. If the RequireFederatedIdentityProvisioning element is in the last policy in a policy chain (or one from the last), CardSpace will be called.

WCF developers may be wondering how to set RequireFederatedIdentityProvisioning in policy, from config. It is done by using the <useManagedPresentation> binding element.

In Summary

Hopefully this provides a good reference for people interested in understanding RP STS.

I’ve tried to give a quick explanation of what a RP STS is, as well as a case in which it may be used. I think some of the key take-away points are:

1) CardSpace also works with RP STSs, which consume the tokens represented by cards.

2) There can be multiple RP STSs in a chain.

3) CardSpace must be given the MEX endpoint URL of an RP STS, either from the WCF app config or from the issuerPolicy element in the x-informationCard object tag for browser applications.

4) Each RP STS needs a certificate, and the web site making the initial request must use HTTPS.

5) <RequireFederatedIdentityProvisioning> is the hint to CardSpace that an STS is an IP STS – not an RP STS.

Please let me know if you have any questions, or can think of any CardSpace topics that could use some more documentation.

Thanks,

Caleb

CardSpace on FAT File Systems

The version of Windows CardSpace that shipped in .NET Framework 3.0 will not run when installed on a FAT file system. We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle) that customers are still using FAT file systems and this is causing problems.  This was done because FAT doesn’t provide ACLs and therefore the files CardSpace uses for storing cards can be deleted or corrupted by malicious code running as the user. Since the store files are still double encrypted by both the user’s and the system’s keys, even on a FAT drive, user code cannot access the contents of the file and read the secret card information. Given the feedback we received, and that the cards are still protected against theft, we decided to make the changes and enable CardSpace (shipped with .NET Framework 3.5) on FAT File Systems. This change doesn’t have any side effect on the rest of the product so running CardSpace on partitions formatted with FAT or NTFS produces the same results.

This is a change intended to meet some customers’ demands but we still recommend the use of NTFS because it’s a more secure environment not only for CardSpace but also for all other files in the computer.

 

Rafael
Windows CardSpace Team

Exiting CardSpace after Installing or Restoring Cards

Here’s another change we made in .NET Framework 3.5 to improve our user experience. Users often got confused on what to do after installing a managed card or restoring their backed up cards when initiated outside of CardSpace. This would usually be initiated by double clicking on a *.crd or *.crds file or opening a managed card file off a webpage.

In the previous flow, after clicking Install or Restore, the user would be returned to their card list with no remaining steps to do besides exiting the program.

 

Therefore we’ve changed the flow to automatically exit the program after successfully adding the card(s). We’ve also changed the text in the button to notify the user that CardSpace will exit when that button is clicked. That way they won’t think CardSpace just suddenly closed or crashed on them.

Like most of the other user experience changes we made (i.e. having full-color for the default self-issued card), these were driven mainly by user feedback. We really appreciate all the feedback. Please keep it coming!

//Toland Hon

CardSpace support for Oasis WS-SX standards

The OASIS Web Services Secure Exchange (WS-SX) technical committee has published specifications for WS-Security extensions and policies to enable the trusted exchange of SOAP messages. Their effort resulted in the WS-SX specifications that include WS-Trust, WS-Security policy and WS-Secure conversation. This standardization of WS-Trust is good news. Gartner says that:

 

OASIS's ratification of two key standards means that Web services security has finally reached a level of maturity acceptable to many enterprises. This is a positive development for vendors and customers alike.

The ratification happened in March 2007 and support for these standards was one of the main changes included in the .NET Framework 3.5 release of CardSpace.

 

Overview of new WS-Trust specification

The OASIS WS-Trust is very similar to the one people have been using. The main differences are:

1.      Returning the security token: a RequestSecurityTokenCollection element is used to return a security token in the final response.

 

2.      SecondaryParameters: When a requestor inserts parameters into an RST request that come from a third party, for example a relying party policy, there is a potential for an attack. In the contributed request, both requestor RST parameters and third party RST parameters are mixed together as direct children of the wst:RequestSecurityToken element. This prevents an STS from differentiating between the RST parameters based on their source. Therefore, the STS trusts both kinds of RST parameters in the same way. This can open a potential attack vector because the third party is given control over the content of the RST message that the requestor sends to the STS. For this purpose, a new element wst:RequestSecurityToken/wst:SecondaryParameters was introduced, that acts as a bag for RST parameters introduced by a third party. This allows an STS to mitigate the attack by differentiating parameters originated by the requestor and parameters not originated by the requestor. Note that same element can occur as direct child of <RequestSecurityToken> as well as child of SecondaryParameters.

 

 

3.      Bearer tokens: This trust version supports bearer tokens.

 

4.      Namespace changes: A new namespace http://docs.oasis-open.org/ws-sx/ws-trust/200512 was introduced. This affects the URI for KeyType, RequestType and SOAP Action on the STS endpoint. For e.g., the symmetric key type is http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey in place of http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey.

 

5.      Batch requests possible: In scenarios where multiple RSTs need to be sent, it is now possible to send them all at once using a RequestSecurityTokenCollection. This helps avoid multiple network round-trips. (Not a CardSpace scenario)

How does this all affect CardSpace?

First I would like to clarify that the CardSpace changes for the new WS-Trust version implement an additional feature. CardSpace will continue to support the previous WS-Trust specification (http://specs.xmlsoap.org/ws/2005/02/trust/ws-trust.pdf) having the namespace http://schemas.xmlsoap.org/ws/2005/02/trust.

If you have developed an STS or rich applications using the previous trust version, those will continue to work.

 

Which scenarios can leverage the new trust specification?

1.      Managed card scenarios: An Identity Provider can choose to use the new trust version

2.      A web service: Rich web services based on WS-* protocols can choose to use the new trust version. E.g., a Calculator web service built using WCF that uses CardSpace to secure its service endpoint.

3.      Resource-STS: A resource STS can choose to use the new trust version. The Resource STS can serve either a website or a web service (as in previous point).

 

Note that the scenario involving a website asking for a self-issued card cannot leverage the new trust version.

 

CardSpace behavior when the new trust version is involved

1.      Identity Provider: The Identity provider issues managed cards and generates token on demand. The card issuance is not affected at all. For token generation, following is the new behavior:

a.      Policy retrieval: CardSpace determines the trust version used by the IP STS based on the policy. The policy needs to be expressed using the WS-SX version of security policy and use the Trust13 assertion to specify its WS-Trust capabilities. When using WCF for building the STS, use bindings such as WS2007FederationHttpBinding or CustomBinding with a security version like WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12 for the appropriate policy to be generated. Sample policy snippet looks like:

 

<wsp:Policy wsu:Id="policy">

    <wsp:ExactlyOne>

        <wsp:All>

            <ic:RequireFederatedIdentityProvisioning xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"></ic:RequireFederatedIdentityProvisioning>

            <sp:SymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

                ...

            </sp:SymmetricBinding>